On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) publicly expanded an emergency mitigation directive, first issued for US government agencies, after the Russian-backed hacker group Midnight Blizzard was found escalating its previous Microsoft email hack.
The original Emergency Directive (ED) was issued to federal agencies on April 2nd to all agencies whose email correspondence with Microsoft was identified as exfiltrated by Midnight Blizzard, CISA said.
“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, ensuring that federal civilian agencies are taking all necessary steps to secure their networks and systems is among our top priorities. This Emergency Directive requires immediate action by agencies to reduce risk to our federal systems,” said CISA Director Jen Easterly.
The Directive – titled “Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System” – requires agencies to analyze potentially affected emails, reset any compromised credentials, and take additional steps to secure privileged Microsoft Azure accounts.
The Russian-state-sponsored hackers had been detected by Microsoft back on January 12th, 2024, attempting to infiltrate the tech giant’s corporate systems.
In a January SEC disclosure filing, Microsoft claimed it had disrupted any malicious activity and immediately shut down access to its systems.
But now it appears the hackers were able to access more than originally thought.
Microsoft identified the hackers as Midnight Blizzard – also known as Nobelium, APT29, or Cozy Bear – the same group behind the SolarWinds attack on the US government in 2020.
On March 8th, Microsoft revealed that during the January incident, Midnight Blizzard was able to gain access to the company’s source code repositories and internal systems, which included Microsoft’s corporate email systems.
Microsoft has since discovered that some of the data exfiltrated by the group included email exchanges containing authentication details, such as credentials or passwords, shared between Microsoft and its customers.
According to CISA, Midnight Blizzard has been attempting to use the stolen authentication information to gain additional access – sometimes successfully – to certain Microsoft customer systems. The cybersecurity watchdog has not disclosed which or how many US government agencies were affected.
Microsoft said the group has increased “the volume of some aspects of the intrusion campaign, such as password sprays, by as much as 10-fold in February.”
“For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian playbook; this latest compromise of Microsoft adds to their long list. We will continue efforts in collaboration with our federal government and private sector partners to protect and defend our systems from such threat activity,” Easterly said.
Under the directive, all federal agencies are mandated to review and implement any necessary security measures listed by CISA, while private sector organizations are being encouraged to contact Microsoft for guidance.
Microsoft responded to the directive, stating it was "working with our customers to help them investigate and mitigate. This includes working with CISA on an emergency directive to provide guidance to government agencies," reported Reuters
“Regardless of direct impact, all organizations are strongly encouraged to apply stringent security measures, including strong passwords, multi-factor authentication (MFA), and prohibited sharing of unprotected sensitive information via insecure channels,” CISA said.
CISA says the directive will remain in effect until it's satisfied that agencies have performed their due diligence as required.
Just last week, a scathing report by the US Cyber Safety Review Board blamed Microsoft for a separate hack involving Chinese-sponsored hackers.
The board said the attack had been "preventable," citing cybersecurity lapses and a deliberate lack of transparency from the tech giant.
Your email address will not be published. Required fields are markedmarked